USN-1641-1: OpenStack Keystone vulnerabilities

Ubuntu Security Notice USN-1641-1

keystone vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.10

Ubuntu 12.04 LTS

Summary

Keystone would allow unintended access to files over the network.

Software description

keystone
- OpenStack identity service

Details

Vijaya Erukala discovered that Keystone did not properly invalidateEC2-style credentials such that if credentials were removed from a tenant,an authenticated and authorized user using those credentials may still beallowed access beyond the account owner's expectations. (CVE-2012-5571)

It was discovered that Keystone did not properly implement tokenexpiration. A remote attacker could use this to continue to access anaccount that is disabled or has a changed password. This issue waspreviously fixed as CVE-2012-3426 but was reintroduced in Ubuntu 12.10.(CVE-2012-5563)

Update instructions

The problem can be corrected by updating your system to the following
package version: